libvirt: Support cert_file and key_file

This introduces parameters to customize cert_file and key_file used for tls connections in libvirt, in addition to ca_file and crl_file which are currently supported. Closes-Bug: #2055160 Change-Id: I597b4d61661a21470ed76ba259f276c2ceffc5ba
2024-02-28 00:52:29 +09:00 · 2024-02-28 00:52:29 +09:00 · d1359ab1f5
commit d1359ab1f5
parent 332fb89413
3 changed files with 62 additions and 20 deletions
--- a/manifests/migration/libvirt.pp
+++ b/manifests/migration/libvirt.pp
@ -123,6 +123,18 @@
 #   See https://libvirt.org/guide/html/Application_Development_Guide-Architecture-Remote_URIs.html
 #   Defaults to {}
 #
+# [*key_file*]
+#   (optional) Specifies the key file that the TLS transport will use.
+#   Note that this is only used if the TLS transport is enabled via the
+#   "transport" option.
+#   Defaults to $facts['os_service_default']
+#
+# [*cert_file*]
+#   (optional) Specifies the certificate file that the TLS transport will use.
+#   Note that this is only used if the TLS transport is enabled via the
+#   "transport" option.
+#   Defaults to $facts['os_service_default']
+#
 # [*ca_file*]
 #   (optional) Specifies the CA certificate that the TLS transport will use.
 #   Note that this is only used if the TLS transport is enabled via the
@ -181,6 +193,8 @@ class nova::migration::libvirt(
  $client_user                         = undef,
  $client_port                         = undef,
  Hash $client_extraparams             = {},
+  $key_file                            = $facts['os_service_default'],
+  $cert_file                           = $facts['os_service_default'],
  $ca_file                             = $facts['os_service_default'],
  $crl_file                            = $facts['os_service_default'],
  $libvirt_version                     = $::nova::compute::libvirt::version::default,
@ -292,20 +306,26 @@ class nova::migration::libvirt(
    }

    if $transport == 'tls' {
-      $auth_tls_real = $auth
-      $auth_tcp_real = $facts['os_service_default']
-      $ca_file_real  = $ca_file
-      $crl_file_real = $crl_file
+      $auth_tls_real  = $auth
+      $auth_tcp_real  = $facts['os_service_default']
+      $key_file_real  = $key_file
+      $cert_file_real = $cert_file
+      $ca_file_real   = $ca_file
+      $crl_file_real  = $crl_file
    } elsif $transport == 'tcp' {
-      $auth_tls_real = $facts['os_service_default']
-      $auth_tcp_real = $auth
-      $ca_file_real  = $facts['os_service_default']
-      $crl_file_real = $facts['os_service_default']
+      $auth_tls_real  = $facts['os_service_default']
+      $auth_tcp_real  = $auth
+      $key_file_real  = $facts['os_service_default']
+      $cert_file_real = $facts['os_service_default']
+      $ca_file_real   = $facts['os_service_default']
+      $crl_file_real  = $facts['os_service_default']
    } else {
-      $auth_tls_real = $facts['os_service_default']
-      $auth_tcp_real = $facts['os_service_default']
-      $ca_file_real  = $facts['os_service_default']
-      $crl_file_real = $facts['os_service_default']
+      $auth_tls_real  = $facts['os_service_default']
+      $auth_tcp_real  = $facts['os_service_default']
+      $key_file_real  = $facts['os_service_default']
+      $cert_file_real = $facts['os_service_default']
+      $ca_file_real   = $facts['os_service_default']
+      $crl_file_real  = $facts['os_service_default']
    }

    $libvirt_listen_config = $modular_libvirt_real ? {
@ -314,10 +334,12 @@ class nova::migration::libvirt(
    }

    create_resources( $libvirt_listen_config , {
-      'auth_tls' => { 'value' => $auth_tls_real, 'quote' => true },
-      'auth_tcp' => { 'value' => $auth_tcp_real, 'quote' => true },
-      'ca_file'  => { 'value' => $ca_file_real, 'quote'  => true },
-      'crl_file' => { 'value' => $crl_file_real, 'quote' => true },
+      'auth_tls'  => { 'value' => $auth_tls_real,  'quote' => true },
+      'auth_tcp'  => { 'value' => $auth_tcp_real,  'quote' => true },
+      'key_file'  => { 'value' => $key_file_real,  'quote' => true },
+      'cert_file' => { 'value' => $cert_file_real, 'quote' => true },
+      'ca_file'   => { 'value' => $ca_file_real,   'quote' => true },
+      'crl_file'  => { 'value' => $crl_file_real,  'quote' => true },
    })

    if $transport == 'tls' or $transport == 'tcp' {
--- a/releasenotes/notes/libvirt-tls-key-and-cert-539e13253c28453d.yaml
+++ b/releasenotes/notes/libvirt-tls-key-and-cert-539e13253c28453d.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - |
+    The ``nova::migration::libvirt`` class now supports the following two new
+    parameters.
+
+    - ``cert_file``
+    - ``key_file``
--- a/spec/classes/nova_migration_libvirt_spec.rb
+++ b/spec/classes/nova_migration_libvirt_spec.rb
@ -35,6 +35,8 @@ describe 'nova::migration::libvirt' do
    context 'with default params' do
      it { is_expected.to contain_libvirtd_config('auth_tls').with_value('<SERVICE DEFAULT>').with_quote(true) }
      it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('none').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('key_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('cert_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
      it { is_expected.to contain_libvirtd_config('ca_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
      it { is_expected.to contain_libvirtd_config('crl_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
      it { is_expected.to contain_nova_config('libvirt/migration_inbound_addr').with_value('<SERVICE DEFAULT>')}
@ -89,6 +91,8 @@ describe 'nova::migration::libvirt' do
      end
      it { is_expected.to contain_libvirtd_config('auth_tls').with_value('none').with_quote(true) }
      it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('<SERVICE DEFAULT>').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('key_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('cert_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
      it { is_expected.to contain_libvirtd_config('ca_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
      it { is_expected.to contain_libvirtd_config('crl_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
      it { is_expected.to contain_nova_config('libvirt/live_migration_uri').with_value('qemu+tls://%s/system')}
@ -160,6 +164,8 @@ describe 'nova::migration::libvirt' do
      end
      it { is_expected.to contain_libvirtd_config('auth_tls').with_value('<SERVICE DEFAULT>').with_quote(true) }
      it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('sasl').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('key_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('cert_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
      it { is_expected.to contain_libvirtd_config('ca_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
      it { is_expected.to contain_libvirtd_config('crl_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
    end
@ -173,6 +179,8 @@ describe 'nova::migration::libvirt' do
      end
      it { is_expected.to contain_libvirtd_config('auth_tls').with_value('sasl').with_quote(true) }
      it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('<SERVICE DEFAULT>').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('key_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('cert_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
      it { is_expected.to contain_libvirtd_config('ca_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
      it { is_expected.to contain_libvirtd_config('crl_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
    end
@ -181,14 +189,18 @@ describe 'nova::migration::libvirt' do
      let :params do
        {
          :transport => 'tls',
-          :ca_file   => '/ca',
-          :crl_file  => '/crl',
+          :key_file  => '/etc/pki/libvirt/private/serverkey.pem',
+          :cert_file => '/etc/pki/libvirt/servercert.pem',
+          :ca_file   => '/etc/pki/CA/cacert.pem',
+          :crl_file  => '/etc/pki/CA/crl.pem',
        }
      end
      it { is_expected.to contain_libvirtd_config('auth_tls').with_value('none').with_quote(true) }
      it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('<SERVICE DEFAULT>').with_quote(true) }
-      it { is_expected.to contain_libvirtd_config('ca_file').with_value('/ca').with_quote(true) }
-      it { is_expected.to contain_libvirtd_config('crl_file').with_value('/crl').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('key_file').with_value('/etc/pki/libvirt/private/serverkey.pem').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('cert_file').with_value('/etc/pki/libvirt/servercert.pem').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('ca_file').with_value('/etc/pki/CA/cacert.pem').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('crl_file').with_value('/etc/pki/CA/crl.pem').with_quote(true) }
    end

    context 'with auth set to an invalid setting' do